I struggled with the phrasing here, any fine-tuning (or more) appreciated. Does our default make sense considering the warning at the top of the doc? Should we make people specify "RemoteIPTrustedProxy *" if they don't want to restrict it?
On Tue, Sep 22, 2015 at 2:11 PM, <cove...@apache.org> wrote: > Author: covener > Date: Tue Sep 22 18:11:35 2015 > New Revision: 1704683 > > URL: http://svn.apache.org/viewvc?rev=1704683&view=rev > Log: > add warnings and emphasize the defaults for trusted non-internal proxies) > > > Modified: > httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml > > Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml?rev=1704683&r1=1704682&r2=1704683&view=diff > ============================================================================== > --- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml (original) > +++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml Tue Sep 22 18:11:35 > 2015 > @@ -113,9 +113,12 @@ via the request headers. > <var>header-field</var> header as the useragent IP address, or list > of intermediate useragent IP addresses, subject to further configuration > of the <directive > module="mod_remoteip">RemoteIPInternalProxy</directive> and > - <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> > directives. Unless these > - other directives are used, <module>mod_remoteip</module> will trust all > - hosts presenting a <directive > module="mod_remoteip">RemoteIPHeader</directive> IP value.</p> > + <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> > directives.</p> > + > + <note type="warning"> Unless these other directives are used, > <module>mod_remoteip</module> > + will trust all hosts presenting a non internal address in the > + <directive module="mod_remoteip">RemoteIPHeader</directive> header value. > + </note> > > <example><title>Internal (Load Balancer) Example</title> > <highlight language="config"> > @@ -213,20 +216,26 @@ RemoteIPProxiesHeader X-Forwarded-By > > <directivesynopsis> > <name>RemoteIPTrustedProxy</name> > -<description>Declare client intranet IP addresses trusted to present the > RemoteIPHeader value</description> > +<description>Restrict client IP addresses trusted to present the > RemoteIPHeader value</description> > <syntax>RemoteIPTrustedProxy > <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> > ...</syntax> > <contextlist><context>server config</context><context>virtual > host</context></contextlist> > > <usage> > - <p>The <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> > directive adds one > - or more addresses (or address blocks) to trust as presenting a valid > - RemoteIPHeader value of the useragent IP. Unlike the > - <directive module="mod_remoteip">RemoteIPInternalProxy</directive> > directive, any intranet > + <p>The <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> > + directive restricts which peer IP addresses (or address blocks) will be > + trusted to present a valid RemoteIPHeader value of the useragent IP.</p> > + > + <p> Unlike the <directive > module="mod_remoteip">RemoteIPInternalProxy</directive> directive, any > intranet > or private IP address reported by such proxies, including the 10/8, > 172.16/12, > 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public > 2000::/3 block) are not trusted as the useragent IP, and are left in the > <directive module="mod_remoteip">RemoteIPHeader</directive> header's > value.</p> > > + <note type="warning">By default, <module>mod_remoteip</module> will trust > + all hosts presenting a non internal address in the > + <directive module="mod_remoteip">RemoteIPHeader</directive> header value. > + </note> > + > <example><title>Trusted (Load Balancer) Example</title> > <highlight language="config"> > RemoteIPHeader X-Forwarded-For > @@ -239,7 +248,7 @@ RemoteIPTrustedProxy proxy.example.com > > <directivesynopsis> > <name>RemoteIPTrustedProxyList</name> > -<description>Declare client intranet IP addresses trusted to present the > RemoteIPHeader value</description> > +<description>Restrict client IP addresses trusted to present the > RemoteIPHeader value</description> > <syntax>RemoteIPTrustedProxyList <var>filename</var></syntax> > <contextlist><context>server config</context><context>virtual > host</context></contextlist> > > > -- Eric Covener cove...@gmail.com --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
